[Freeipa-devel] [PATCH] 779 Require an imported certificate's issuer to match our issuer

Thu Jun 16 13:12:38 UTC 2011

Rob Crittenden wrote:
> Jan Cholasta wrote:
>> On 14.6.2011 15:16, Rob Crittenden wrote:
>>> Jan Cholasta wrote:
>>>> On 6.6.2011 21:25, Rob Crittenden wrote:
>>>>> Jan Cholasta wrote:
>>>>>> On 26.4.2011 22:52, Rob Crittenden wrote:
>>>>>>> The goal is to not import foreign certificates.
>>>>>>>
>>>>>>> This caused a bunch of tests to fail because we had a hardcoded
>>>>>>> server
>>>>>>> certificate. Instead a developer will need to run make-testcert to
>>>>>>> create a server certificate generated by the local CA to test
>>>>>>> against.
>>>>>>>
>>>>>>> ticket 1134
>>>>>>>
>>>>>>> rob
>>>>>>>
>>>>>>
>>>>>> NACK
>>>>>>
>>>>>> The certificate isn't verified in host-add.
>>>>>>
>>>>>> I suspect that certificates signed by an intermediate CA (i.e. when
>>>>>> the
>>>>>> certificate chain length > 2) are considered invalid. Is that the
>>>>>> desired behavior?
>>>>>
>>>>> That will work as long as the issuer is the IPA CA. I see that if we
>>>>> are
>>>>> given a service cert issued by another CA in the chain things could go
>>>>> badly. I'm not sure this is something to really worry about though.
>>>>
>>>> I guess it's not. But I'd like a second opinion on that.
>>>
>>> We really only want to support those certs we issue otherwise things
>>> like revocation get tricky, because we can't manage things we don't
>>> issue.
>>>
>>>>
>>>>>
>>>>>>
>>>>>> make-testcert fails with:
>>>>>>
>>>>>> Traceback (most recent call last):
>>>>>> File "./make-testcert", line 126, in <module>
>>>>>> sys.exit(makecert(reqdir))
>>>>>> File "./make-testcert", line 105, in makecert
>>>>>> add=True)
>>>>>> File "./make-testcert", line 66, in run
>>>>>> result = self.execute(method, *args, **options)
>>>>>> File "/home/jcholast/freeipa/ipalib/backend.py", line 142, in execute
>>>>>> raise error #pylint: disable=E0702
>>>>>> ipalib.errors.CommandError: unknown command 'cert_request'
>>>>>>
>>>>>> This is probably an error on my part (tried running in on both my
>>>>>> machine without IPA installed and on VM with IPA installed with no
>>>>>> luck), but nonetheless it should be fixed to fail gracefully so that
>>>>>> the
>>>>>> tests in "make test" have a chance to run. Similarly, the tests which
>>>>>> use the test certificate created by make-testcert should be
>>>>>> skipped if
>>>>>> the certificate isn't available.
>>>>>
>>>>> You need to take the certificate databases from a self-signed install
>>>>> and copy them to ~/.ipa/alias/ in order to do certificate testing.
>>>>> There
>>>>> is documentation on how to do this in tests/test_xmlrpc/test_cert.py
>>>>>
>>>>> I think this should be mandatory as certificates are a main feature of
>>>>> v2.
>>>>
>>>> No matter what I do, I'm still getting the unknown command error. Can
>>>> you describe the steps needed to make make-testcert successfully run?
>>>>
>>>> BTW, it would be nice if "make test" printed an informational message
>>>> when the requirements to run the tests aren't met instead of failing
>>>> with some random error.
>>>
>>> You need enable_ra = True in ~/.ipa/default.conf. What I tend to do is
>>> copy /etc/ipa/default.conf from my underlying install to ~/.ipa and
>>> comment out the xmlrpc_uri. This is now caught by the script.
>>>
>>> rob
>>
>> These tests fail:
>>
>> test_host[19]: service_mod: Update
>> u'HTTP/testhost1.idm.lab.bos.redhat.com at IDM.LAB.BOS.REDHAT.COM' ... FAIL
>> test_host[20]: service_show: Retrieve
>> u'HTTP/testhost1.idm.lab.bos.redhat.com at IDM.LAB.BOS.REDHAT.COM' to
>> verify update ... FAIL
>>
>> because they expect the CN to be puma.greyoak.com. I'm not sure if this
>> issue is in the scope of this patch - if it's not, then ACK.
>
> I'll fix them up.

attached
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-rcrit-779-4-cert.patch
Type: text/x-diff
Size: 19906 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20110616/6706b261/attachment.bin>